Microsoft ADRMSIntegration Guide for Windows Server 2012

Version: 1.1

Date: Tuesday, June 25, 2019

Copyright 2019 nCipher Security Limited. All rights reserved.

Copyright in this document is the property of nCipher Security Limited. It is not to be reproduced,modified, adapted, published, translated in anymaterial form (including storage in anymedium byelectronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any thirdparty without the prior written permission of nCipher Security Limited neither shall it be used otherwisethan for the purpose for which it is supplied.

Words and logos markedwith ® or ™ are trademarks of nCipher Security Limited or its affiliates in the EUand other countries.

Mac andOS X are trademarks of Apple Inc., registered in the U.S. and other countries.

Microsoft andWindows are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

Information in this document is subject to changewithout notice.

nCipher Security Limitedmakes nowarranty of any kindwith regard to this information, including, but notlimited to, the impliedwarranties of merchantability and fitness for a particular purpose. nCipher SecurityLimited shall not be liable for errors contained herein or for incidental or consequential damagesconcernedwith the furnishing, performance or use of this material.

Where translations have beenmade in this document English is the canonical language.

Page 2 of 15 Microsoft ADRMS - Integration Guide for Windows Server 2012

Contents

1 Introduction 4

1.1 Product configuration 4

1.2 Supported nShield functionality 4

1.3 Requirements 4

1.4 This guide 5

1.5 More information 5

2 Procedures 6

2.1 Installing the HSM 6

2.2 Installing the nShield support software and configuring the security world 6

2.3 Setting up the infrastructure 6

2.4 Installing and configuring ADRMS 7

2.4.1 Adding users ADRMSADMIN andADRMSSRVC to the Enterprise Admins group 7

2.4.2 Installing Active Directory Certificate Services (Standalone root CA) 7

2.4.3 Creating a new alias (CNAME) 7

2.4.4 Installing and configuring ADRMS as a root cluster 8

2.4.5 Verifying ADRMS functionality 10

2.4.5.1 AddingADRMS cluster to the Local Intranet security zone 10

2.4.5.2 AddingMicrosoft Root certificate to the trusted store 10

2.4.5.3 Restricting permissions on a MicrosoftWord document 11

2.4.5.4 Viewing a rights-protected document 11

2.4.6 Uninstalling ADRMS 12

2.4.7 Unregistering ADRMS Service Connection Point (SCP) 12

3 Troubleshooting 13

Contact Us 14

Europe,Middle East, andAfrica 14

Americas 14

Asia Pacific 14

Microsoft ADRMS - Integration Guide for Windows Server 2012 Page 3 of 15

1    Introduction

1 IntroductionTheHardware Security Module (HSM) secures the ADRMS Cluster Key generated and used by theActive Directory Rights Management Services (AD RMS).

Throughout this guide, the term HSM refers to nShield Solo and nShield Connect products.(nShield Solo products were formerly known as nShield.)

You can integrate the ADRMS with an HSM by using the nCipher MSCAPI interface. The benefits ofusing an nShieldHSMwith the ADRMS are:

l Secure storage of the ADRMS Cluster Key

l FIPS 140-2 level 3 validated hardware

l Full life cyclemanagement of the keys

l Failover support

l Load-balancing betweenmodules.

1.1 Product configurationWehave successfully tested nCipher HSM integration with AD RMS in the following configurations:

Operating systemAD RMSversion

Security WorldSoftware version

nShield Solosupport

nShieldConnectsupport

nShield Edgesupport

MicrosoftWindowsServer 2012

2.0 11.61 Yes Yes Yes

1.2 Supported nShield functionalityYou can access the following nShield functionality when you integrate an HSMwith the ADRMS.

Soft cards — Keymanagement Yes FIPS 140-2 level 3 Yes

Key recovery Yes Module-only key Yes K-of-N card set —

Load balancing Yes Key import — Fail over Yes

Key generation Yes

1.3 RequirementsBefore installing the software, we recommend that you familiarize yourself with the ADRMSdocumentation and setup process, and that you have the nCipher documentation available.We also

Page 4 of 15 Microsoft ADRMS - Integration Guide for Windows Server 2012

1.4    This guide

recommend that you have an agreed organizational Certificate Practices Statement and a SecurityPolicy/Procedure in place covering administration of the HSM.

In particular, these documents should specify the following aspects of HSM administration:

l The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and a policyfor managing these cards

l Whether the application keys are protected by themodule or an Operator Card Set (OCS)

l The number and quorum of Operator Cards in theOCS, and a policy for managing these cards

l Whether the security worldmust comply with FIPS 140-2 Level 3

l Key attributes, such as the key size, persistence, and time out.

K/N functionality is not currently supported. This means that youmust create a 1/NOCS.

1.4 This guideThis guide describes how to integrate ADRMS with nShieldHSM.We have thoroughly tested theinstructions in this document. They provide a straightforward integration process. Theremay be otheruntestedways to achieve interoperability. This documentmay not describe every step of the softwaresetup process.

This guide assumes that you are familiar with the nCipher HSM documentation, and the documentationand setup process for AD RMS.

1.5 More informationl For more information about OS support, contact your Microsoft sales representative or nCipherSupport.

l For more information about contacting nCipher, seeAddresses at the end of this guide.

l For more information on administering an nShieldmodule, see theUser Guide.

l Additional documentation produced to support your nShield product is in the document directory ofthe CD-ROM or DVD-ROM for that product.

l For more information about Active Directory Rights Management Services Overview, see theonline documentation at http://technet.microsoft.com/en-us.

Microsoft ADRMS - Integration Guide for Windows Server 2012 Page 5 of 15

2    Procedures

2 ProceduresIntegration procedures include:

l Installing the HSM.

l Installing the SecurityWorld Software and configure the nShieldHSM.

l Setting up the infrastructure.

l Installing and configuring ADRMS.

l Verifying ADRMS functionality.

l Uninstalling ADRMS.

This chapter describes these procedures.

2.1 Installing the HSMInstall the HSM using the instructions in theQuick Start Guide for the HSM.We recommend that youinstall the HSM before configuring nShield support software.

2.2 Installing the nShield support software and configuring thesecurity worldTo install the nShield support Software and create the security world:

1. Install the latest version of the nShield support software as described in theUser Guide.Note: We recommend that you always uninstall any existing nShield support software beforeinstalling the new nShield support software.

2. Initialize a security world usingMSCAPI wizardwith module protection or 1/NOCS withoutpassphrase as key protection method.Note: Donot select the option Always use the wizard when creating or importing keys option

while creating security world.

2.3 Setting up the infrastructureTo prepare your AD RMS test environment in your domain, youmust complete the following tasks:

1. Configure the domain controller on <your domain>-DC.

2. Configure the ADRMS database computer on RMS-DB.

3. Configure the ADRMS root cluster computer on RMS-SRV.

4. Configure the ADRMS client computer on RMS-CLNT.

For more information about setting up the infrastructure, see the online documentation athttp://technet.microsoft.com/en-us/library/cc772140.aspx.

Page 6 of 15 Microsoft ADRMS - Integration Guide for Windows Server 2012

2.4    Installing and configuring ADRMS

2.4 Installing and configuring AD RMSServiceManager handles the installation and configuration of AD RMS. The first server in an ADRMSenvironment is the root cluster. An ADRMS root cluster is composed of one or more ADRMS serversconfigured in a load-balancing environment. These step-by-step instructions describe how to install andconfigure a single-server AD RMS root cluster. The installing user accountmust be a member of theActive Directory Enterprise Admins group to register an ADRMS service connection point (SCP).

2.4.1 Adding users ADRMSADMIN and ADRMSSRVC to the Enterprise AdminsgroupTo add user ADRMSADMIN to the Enterprise Admins group:

1. Log on to <your domain>-DCwith the Administrator account (or another user account in theDomain Admins group).

2. From the Startmenu, select Active Directory Users and Computers.

3. In the console tree, expand <your domain>.com, right-click Users and select New > User.

4. Enter the first name and full name adrmsadmin and click Next.

5. Enter the password for user, click Next and click Finish.

6. Right-click adrmsadmin and go to Properties.

7. Enter the email address adrmsadmin@<your domain>.com and click OK.

8. Double-click Enterprise Admins.

9. Click the Members tab, and click Add.

10. Type adrmsadmin@<your domain>.com, and click OK.

To add user ADRMSSRVC to the Enterprise Admins group, repeat the steps above, replacing adrmsadminwith adrmssrvc.

2.4.2 Installing Active Directory Certificate Services (Standalone root CA)To install Active Directory Certificate Services:

1. Log on to RMS-SRV as <your domain>\ADRMSADMIN.

2. From the Startmenu, select Server Manager.

3. Click Manage, then click Add Roles and Features.

4. In the Add Roles and Featureswindow, click Next.

5. Select the installation type as Role based or Feature based installation and click Next.

6. Select a server from the server pool and click Next. The Add Roleswizard is displayed.

7. On the Select Server Roles page, select the Active Directory Certificate Services checkbox, and click Next.

Follow the online instructions to complete the installation.

2.4.3 Creating a new alias (CNAME)To create a new alias:

Microsoft ADRMS - Integration Guide for Windows Server 2012 Page 7 of 15

2    Procedures

1. Log on to <your domain>-DC as Administrator.

2. Open DNS Manager from Start > DNS.

3. Click RMS-SRV Machine name and expand Forward Lookup Zones, and right-click <yourdomain>.com.

4. Select New Alias, and enter the alias name as rmsncp.

5. In Fully qualified domain name (FQDN) for the target host field, browse to the RMS-SRVmachine.Click OK.

2.4.4 Installing and configuring AD RMS as a root clusterTo add the ADRMS Server Role:

1. Log on to RMS-SRV as <your domain>\ADRMSADMIN.

2. From the Startmenu, select Server Manager.

3. Click Manage and then click Add Roles and features.

4. In the Add Roles and Featureswindow, click Next.

5. Select the installation type Role based, and click Next.

6. Select a server from the server pool and click Next. The Add Roleswizard is displayed.

7. On the Select Server Roles page, select the Active Directory Rights Management Services

check box and click Add Features. The Role Services page appears, displaying the ADRMSdependent role services and features.

8. On the Feature page, ensure thatWebServer (IIS), Windows Process Activation Service (WPAS),andMessageQueuing are listed, and click Add Required Role Services. Click Next.

9. Read the ADRMS introduction page, and click Next.

10. On the Select Role Services page, ensure you have selected the Active Directory Rights

Management Server check box, and click Next.

11. On the confirmation page, click Install.

12. After the successful installation, the Result page is displayed. Click Perform an additional

configuration.

13. The ADRMS ConfigurationWindow opens. Click Next.

14. Select Create a new AD RMS cluster, and click Next.

15. On Select configuration database server, select Specify a database server and a database

instance.

16. Click Select, type RMS-DB in the Select Computer dialog box, and then click OK.

17. In Database Instance, click List and select Default Instance, then click Next.

18. Click Specify, type <your domain>\ADRMSSRVC, type the password for the account, click OK, and thenclick Next.

19. Select Cryptographicmode and click Next.

20. Ensure that Use CSP key storage is selected, and click Next.

21. On the Specify AD RMS Cluster key page, select nCipher Cryptographic service provider fromthemenu, and click Next.

Page 8 of 15 Microsoft ADRMS - Integration Guide for Windows Server 2012

2.4.4   Installing and configuring ADRMS as a root cluster

22. Select the web site where ADRMS is to be installed, and click Next.

In an installation that uses default settings, the only available web site should beDefault Web Site.

23. Select Use an SSL-encrypted connection (https://).

24. In the Fully-Qualified Domain Name box, type rmsncp.<your domain>.com. Click Next.

Ensure Fully Qualified Domain Name and CNAME are the same.

25. Select Choose a certificate for SSL encryption later, and click Next.

26. Type rmsncp in the Name field of the Licensor certificate, and click Next.

27. Ensure that Register the AD RMS service connection point now is selected, and then click Next.This registers the ADRMS service connection point (SCP) in Active Directory during installation.

28. Click Install to provision ADRMS on the computer.

29. When the process is complete, click Close.

30. Open the IIS Manager by selecting Internet Information Service Manager from the Startmenu.

31. Click the IIS Server.

32. Double-click the Server Certificates icon.

33. On the right-hand side of the IIS Manager window, click the Create Certificate Request link.

34. Fill out the certificate properties page. In the common name field, enter the same name that youentered for server licensor certificate (rmsncp), and click Next.

35. On the Cryptographic Service Provider Properties page, select Microsoft RSA SChannel

Cryptographic Provider from themenu, and click Next.

Because of a certificate licensing issue, you cannot use nCipher CSPs for requestingcertificates.

36. Enter the certificate request file name, and click Finish.

37. Send the certificate request toMicrosoft CA (http://RMS-SRV.<your domain>.com/certsrv), anddownload the certificate.

38. On the right-hand side of the IIS Managerwindow, click the Complete Certificate Request link.

39. Show the path of the signed certificate, enter the Friendly name, and click OK.

The Friendly Namemust be the same as the server licensor certificate name.

40. On the left-hand side of the IIS Managerwindow under Sites, click Default website.

41. On the right-hand side of the IIS Managerwindow, click the Bindings link.

42. In Site Bindings, click Add.

43. Select the protocol as HTTPS, and select the certificates from themenu. Click OK to complete thecertificate binding for SSL connection.

Microsoft ADRMS - Integration Guide for Windows Server 2012 Page 9 of 15

2    Procedures

44. Click Restart to restart the IIS server.

45. Log off from the server, and then log on again to update the security token of the logged-on useraccount.

The user account that is logged on when the ADRMS server role is installed is automatically made amember of the ADRMS Enterprise Administrators local group. A user must be a member of that group toadminister AD RMS.

The ADRMS root cluster is now installed and configured.

2.4.5 Verifying AD RMS functionalityThe ADRMS client is included in the default installation of Windows Vista andWindows Server 2012.Before you can consume rights-protected content, youmust add the ADRMS cluster URL to the LocalIntranet security zone. Add the ADRMS cluster URL to the Local Intranet security zone for all users whoare to consume rights-protected content.

2.4.5.1 Adding AD RMS cluster to the Local Intranet security zone

1. Log on to RMS-CLNT as user_fin (<your domain>\user_fin).

2. From the Startmenu, select All Programs > Internet Explorer.

3. Select Tools > Internet Options.

4. Click the Security tab, click Local intranet, and then click Sites.

5. Click Advanced.

6. In the Add this website to the zone field, enter https://rmsncp.<your domain>.com, and clickAdd, then click Close.

7. Repeat the preceding steps for user_mar (<your domain>\user_mar) and user_eng (<yourdomain>\user_eng).

2.4.5.2 Adding Microsoft Root certificate to the trusted store

1. DownloadMicrosoft CA root certificate.

2. Open Microsoft Management Console.

3. Select File > Add/Remove Snap-in > Add.

4. Select Certificates > Add > My User Account > Finish.

5. Select Add Standalone Snap-in. and click OK.

6. Expand Certificates > Current-User, then expand Third-Party Root Certification

Authorities.

7. Right-click Certificates > All Tasks > Import. The Certificate Import Wizard opens. ClickNext to display the path of theMicrosoft CA root certificate. Click Next.

8. Keep the default selection, and click Next, then click Finish.

9. Repeat the preceding steps for user_mar (<your domain>\user_mar) and user_eng (<yourdomain>\user_eng).

Page 10 of 15 Microsoft ADRMS - Integration Guide for Windows Server 2012

2.4.5.3   Restricting permissions on a MicrosoftWord document

2.4.5.3 Restricting permissions on a Microsoft Word documentTo verify the functionality of the ADRMS deployment, you log on as user_fin, and then restrictpermissions on a MicrosoftWord 2007 document so that user_mar can read the document but cannotchange, print, or copy it. You then log on as user_mar, and verify that the proper permission to read thedocument has been granted, but no permissions to change, print, or copy it have been granted.

1. Log on to RMS-CLNT as user_fin (<your domain>\user_fin).

2. From the Startmenu, select All Programs > Microsoft Office > Microsoft Office Word 2007.

3. On the blank document page, type user_mar can read this document, but cannot

change, print, or copy it.

4. Click the Microsoft Office Button, then select Prepare > Restrict Permission > Restricted

Access.

5. Select the Restrict permission to this document checkbox.

6. In the Read box, type user_mar@<your domain>.com, and then click OK to close the Permission dialogbox.

7. Click the Microsoft Office Button, click Save As, and then save the file as \\RMS-DB\Public\RMS-TST.docx.

8. Log off as user_fin.

2.4.5.4 Viewing a rights-protected document

1. Log on to RMS-CLNT as user_mar (<your domain>\user_mar).

2. From the Startmenu, select All Programs > Microsoft Office > Microsoft Office Word 2007.

3. Click the Microsoft Office Button, and then click Open.

4. In the File name box, type \\RMS-DB\Public\RMS-TST.docx, and then click Open.The followingmessage appears:Permission to this document is currently restricted. Microsoft Officemust connect tohttps://rmsncp.<your domain>.com:443/_wmcs/licensing to verify your credentials and downloadyour permission.

5. Click OK. The followingmessage appears: Verifying your credentials for opening content

with restricted permissions.

6. When the document opens, click the Microsoft Office button.

The Print option is not available.

7. CloseMicrosoftWord.

8. Log off as user_mar.

You have successfully installed and demonstrated the functionality of AD RMS, by simply applyingrestricted permissions to a MicrosoftWord 2007 document.

Microsoft ADRMS - Integration Guide for Windows Server 2012 Page 11 of 15

2    Procedures

2.4.6 Uninstalling AD RMS

1. Open Server Manager.

2. Click Roles > Remove Roles. The Remove Roles Wizard opens. Click Next.

3. Deselect Active Directory Rights Management Services, and click Next.

4. When thewizard prompts you, reboot themachine.

2.4.7 Unregistering AD RMS Service Connection Point (SCP)To unregister AD RMS SCP:

1. Download the RMS SP2 Administration Toolkit fromhttp://www.microsoft.com/downloads/details.aspx?FamilyID=bae62cfc-d5a7-46d2-9063-0f6885c26b98&displaylang=en.

2. Install the RMS SP2 Administration Toolkit.

3. Open a command prompt, and navigate to the C:\Program Files\RMS SP2 Administration

Toolkit\ADScpRegister folder.

4. Run the command:ADScpRegister.exe unregisterscp

Page 12 of 15 Microsoft ADRMS - Integration Guide for Windows Server 2012

3    Troubleshooting

3 TroubleshootingProblem Resolution

While installing ADRMS, you see the error:

Attempt to configure Active Directory

Rights Management Server

failed.

Fail to generate enrolee certificate

public key.

EnsureMicrosoft SQLServer is working properly, orreboot the ADRMS-DBmachine.

While installing ADRMS, you see the error:

Attempt to configure Active Directory

Rights Management Server

failed.

The AD RMS installation could not

determine the certificate hierarchy.

If the AD RMS service connection point

(SCP) you need to use is

registered in Active Directory but is not

valid, revise it to make

it valid, or create a new SCP, and install

AD RMS again.

Unregister ADRMS Service Connection Point (SCP)using RMS SP2 Administration Toolkit, and installagain.

While installing ADRMS, you see the error:

Attempt to configure Active Directory

Rights Management Server

failed.

Provisioning of AD RMS timed out without

any specific error.

Remove and re-install AD RMS to attempt

provisioning again.

Recreate security world by unselecting the Alwaysuse the wizard when creating or importing keys

option, and reinstall AD RMS.

Ensure the key protection method isneither Softcard nor K-of-N cardsetprotection, because ADRMS does notsupport thesemethods.

When the recipient tries to open the restricteddocument, they see the error in RMS Clientmachine (Microsoft VISTA, SP1):

This Service is temporarily unavailable.

Microsoft Internet Explorer may be set to

Work offline.

In Internet Explorer, verify that Work

Offline on the File menu is

not selected, and try again.

Import theMicrosoft CA root certificate into the Third-Party Root Certification Authorities store of My User

Account, and try again.

Microsoft ADRMS - Integration Guide for Windows Server 2012 Page 13 of 15

Contact Us

Contact UsWeb site: https://www.ncipher.comSupport: https://help.ncipher.comEmail Support: support@ncipher.comOnline documentation: Available from the Support site listed above.

You can also contact our Support teams by telephone, using the following numbers:

Europe, Middle East, and Africa

United Kingdom: +44 1223 622444One Station SquareCambridgeCB1 2GAUK

Americas

Toll Free: +1 833 425 1990Fort Lauderdale: +1 954 953 5229

Sawgrass Commerce Center – ASuite 130,13800 NW 14 StreetSunriseFL 33323 USA

Asia Pacific

Australia: +61 8 9126 9070World Trade Centre Northbank WharfSiddeley StMelbourne VIC 3005Australia

Japan: +81 50 3196 4994HongKong: +852 3008 3188

10/F, V-Point,18 Tang Lung StreetCauseway BayHongKong

Page 14 of 15 Microsoft ADRMS - Integration Guide for Windows Server 2012

About nCipher Security

Today’s fastmoving digital environment enhances customer satisfaction, gives competitive advantage and improvesoperational efficiency. It alsomultiplies the security risks. nCipher Security, a leader in the general purpose hardwaresecuritymodule (HSM) market, empowers world-leading organizations by delivering trust, integrity and control to theirbusiness critical information and applications.

Our cryptographic solutions secure emerging technologies – cloud, IoT, blockchain, digital payments –and helpmeetnew compliancemandates, using the same proven technology that global organizations depend on today to protectagainst threats to their sensitive data, networkcommunications and enterprise infrastructure.We deliver trust for yourbusiness critical applications, ensuring the integrity of your data and putting you in complete control – today, tomorrow, atall times.www.ncipher.com